hcp-ansible/playbooks/group_vars/all/globals.yml
Bertrand Lanson ed27759dcd
All checks were successful
development / Check commit compliance (push) Successful in 26s
pull-requests-open / Check commit compliance (pull_request) Successful in 26s
feat: add barebone driver options for nomad (not fully working)
2024-07-10 19:32:59 +02:00

280 lines
7.4 KiB
YAML

---
##########################
# General options ########
##########################
enable_haproxy: "yes"
enable_vault: "yes"
enable_consul: "yes"
enable_nomad: "yes"
haproxy_version: "2.8"
nomad_version: "1.8.1"
consul_version: "1.18.1"
vault_version: "1.16.2"
consul_fqdn: consul.ednz.lab
vault_fqdn: vault.ednz.lab
nomad_fqdn: nomad.ednz.lab
hashistack_external_vip_interface: "eth0"
hashistack_external_vip_addr: "192.168.121.100"
hashistack_internal_vip_interface: "{{ hashistack_external_vip_interface }}"
hashistack_internal_vip_addr: "{{ hashistack_external_vip_addr }}"
api_interface: "eth0"
api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}"
########################
# external tls options #
########################
enable_tls_external: false
external_tls_externally_managed_certs: false
#####################################################
# #
# Consul #
# #
#####################################################
consul_domain: consul
consul_datacenter: dc1
consul_primary_datacenter: dc1
consul_leave_on_terminate: true
consul_rejoin_after_leave: true
consul_enable_script_checks: true
################################
# consul address configuration #
################################
consul_address_configuration:
# The address to which Consul will bind client interfaces,
# including the HTTP and DNS servers.
client_addr: "0.0.0.0"
# The address that should be bound to for internal cluster communications.
bind_addr: "{{ api_interface_address }}"
# The advertise address is used to change the address that we advertise to other nodes in the cluster.
advertise_addr: "{{ api_interface_address }}"
############################
# consul ACL configuration #
############################
consul_acl_configuration:
enabled: true
default_policy: "deny" # can be allow or deny
enable_token_persistence: true
############################
# consul DNS configuration #
############################
consul_dns_configuration:
allow_stale: true
enable_truncate: true
only_passing: true
###########################
# consul ui configuration #
###########################
consul_ui_configuration:
enabled: "{{ 'consul_servers' in group_names }}"
#####################################
# consul service mesh configuration #
#####################################
consul_mesh_configuration:
enabled: true
############################
# consul tls configuration #
############################
consul_enable_tls: false
consul_tls_configuration:
defaults:
ca_file: "/etc/ssl/certs/ca-certificates.crt"
cert_file: "{{ consul_certificates_directory }}/cert.pem"
key_file: "{{ consul_certificates_directory }}/key.pem"
verify_incoming: false
verify_outgoing: true
internal_rpc:
verify_server_hostname: true
############################
# consul container volumes #
############################
extra_consul_container_volumes: []
##############################
# consul extra configuration #
##############################
consul_extra_configuration: {}
consul_extra_files_list: []
#####################################################
# #
# Vault #
# #
#####################################################
vault_cluster_name: vault
vault_enable_ui: true
vault_seal_configuration:
key_shares: 3
key_threshold: 2
#################
# vault storage #
#################
vault_storage_configuration:
raft:
path: "{{ hashicorp_vault_data_dir }}"
node_id: "{{ ansible_hostname }}"
retry_join: |
[
{% for host in groups['vault_servers'] %}
{
'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200'
}{% if not loop.last %},{% endif %}
{% endfor %}
]
##################
# vault listener #
##################
vault_enable_tls: false
vault_tls_verify: false
vault_listener_configuration:
tcp:
address: "0.0.0.0:8200"
tls_disable: true
vault_tls_listener_configuration:
tcp:
tls_disable: false
tls_cert_file: "{{ vault_certificates_directory }}/cert.pem"
tls_key_file: "{{ vault_certificates_directory }}/key.pem"
tls_disable_client_certs: true
vault_extra_listener_configuration: {}
########################
# service registration #
########################
vault_enable_service_registration: "{{ enable_consul | bool }}"
vault_service_registration_configuration:
consul:
address: "127.0.0.1:{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
token: "{{ _credentials.consul.tokens.vault.secret_id }}"
#################
# vault plugins #
#################
vault_enable_plugins: false
###########
# logging #
###########
vault_enable_log_to_file: false
vault_logging_configuration:
log_level: info
log_format: standard
log_rotate_duration: 24h
log_rotate_max_files: 30
###########################
# vault container volumes #
###########################
extra_vault_container_volumes: []
#############################
# vault extra configuration #
#############################
vault_extra_configuration: {}
vault_extra_files_list: []
#####################################################
# #
# Nomad #
# #
#####################################################
nomad_datacenter: dc1
nomad_region: global
###########################
# nomad ACL configuration #
###########################
nomad_acl_configuration:
enabled: true
token_ttl: 30s
policy_ttl: 60s
role_ttl: 60s
############################
# nomad consul integration #
############################
nomad_enable_consul_integration: "{{ enable_consul | bool }}"
nomad_consul_integration_configuration:
address: "127.0.0.1:{{ hashicorp_consul_configuration.ports.https if consul_enable_tls else hashicorp_consul_configuration.ports.http }}"
auto_advertise: true
ssl: "{{ consul_enable_tls | bool }}"
token: "{{ _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else _credentials.consul.tokens.nomad.client.secret_id}}"
tags: []
############################
# nomad vault integration #
############################
nomad_enable_vault_integration: false
nomad_vault_integration_configuration: {}
###############################
# nomad drivers configuration #
###############################
nomad_driver_enable_docker: yes
nomad_driver_enable_podman: no
nomad_driver_enable_raw_exec: no
nomad_driver_enable_java: no
nomad_driver_enable_qemu: no
nomad_driver_extra_configuration: {}
######################
# nomad internal tls #
######################
nomad_enable_tls: false
nomad_tls_configuration:
http: true
rpc: true
ca_file: "/etc/ssl/certs/ca-certificates.crt"
cert_file: "{{ nomad_certificates_directory }}/cert.pem"
key_file: "{{ nomad_certificates_directory }}/key.pem"
verify_server_hostname: true
#############################
# nomad extra configuration #
#############################
nomad_extra_configuration: {}
nomad_extra_files_list: []